1 /******************************************************************************
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
6 * Copyright (c) 2005 Keir Fraser
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privileged instructions:
11 * Copyright (C) 2006 Qumranet
12 * Copyright 2010 Red Hat, Inc. and/or its affilates.
17 * This work is licensed under the terms of the GNU GPL, version 2. See
18 * the COPYING file in the top-level directory.
20 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
26 #include <public/xen.h>
27 #define DPRINTF(_f, _a ...) printf(_f , ## _a)
29 #include <linux/kvm_host.h>
30 #include "kvm_cache_regs.h"
31 #define DPRINTF(x...) do {} while (0)
33 #include <linux/module.h>
34 #include <asm/kvm_emulate.h>
40 * Opcode effective-address decode tables.
41 * Note that we only emulate instructions that have at least one memory
42 * operand (excluding implicit stack references). We assume that stack
43 * references and instruction fetches will never occur in special memory
44 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
48 /* Operand sizes: 8-bit operands or specified/overridden size. */
49 #define ByteOp (1<<0) /* 8-bit operands. */
50 /* Destination operand type. */
51 #define ImplicitOps (1<<1) /* Implicit in opcode. No generic decode. */
52 #define DstReg (2<<1) /* Register operand. */
53 #define DstMem (3<<1) /* Memory operand. */
54 #define DstAcc (4<<1) /* Destination Accumulator */
55 #define DstDI (5<<1) /* Destination is in ES:(E)DI */
56 #define DstMem64 (6<<1) /* 64bit memory operand */
57 #define DstMask (7<<1)
58 /* Source operand type. */
59 #define SrcNone (0<<4) /* No source operand. */
60 #define SrcImplicit (0<<4) /* Source operand is implicit in the opcode. */
61 #define SrcReg (1<<4) /* Register operand. */
62 #define SrcMem (2<<4) /* Memory operand. */
63 #define SrcMem16 (3<<4) /* Memory operand (16-bit). */
64 #define SrcMem32 (4<<4) /* Memory operand (32-bit). */
65 #define SrcImm (5<<4) /* Immediate operand. */
66 #define SrcImmByte (6<<4) /* 8-bit sign-extended immediate operand. */
67 #define SrcOne (7<<4) /* Implied '1' */
68 #define SrcImmUByte (8<<4) /* 8-bit unsigned immediate operand. */
69 #define SrcImmU (9<<4) /* Immediate operand, unsigned */
70 #define SrcSI (0xa<<4) /* Source is in the DS:RSI */
71 #define SrcImmFAddr (0xb<<4) /* Source is immediate far address */
72 #define SrcMemFAddr (0xc<<4) /* Source is far address in memory */
73 #define SrcAcc (0xd<<4) /* Source Accumulator */
74 #define SrcMask (0xf<<4)
75 /* Generic ModRM decode. */
77 /* Destination is only written; never read. */
80 #define MemAbs (1<<11) /* Memory operand is absolute displacement */
81 #define String (1<<12) /* String instruction (rep capable) */
82 #define Stack (1<<13) /* Stack instruction (push/pop) */
83 #define Group (1<<14) /* Bits 3:5 of modrm byte extend opcode */
84 #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
85 #define GroupMask 0xff /* Group number stored in bits 0:7 */
87 #define Lock (1<<26) /* lock prefix is allowed for the instruction */
88 #define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
90 /* Source 2 operand type */
91 #define Src2None (0<<29)
92 #define Src2CL (1<<29)
93 #define Src2ImmByte (2<<29)
94 #define Src2One (3<<29)
95 #define Src2Mask (7<<29)
98 Group1_80, Group1_81, Group1_82, Group1_83,
99 Group1A, Group3_Byte, Group3, Group4, Group5, Group7,
103 static u32 opcode_table[256] = {
105 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
106 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
107 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
108 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
110 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
111 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
112 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
113 ImplicitOps | Stack | No64, 0,
115 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
116 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
117 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
118 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
120 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
121 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
122 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
123 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
125 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
126 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
127 ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
129 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
130 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
131 ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
133 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
134 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
135 ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
137 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
138 ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
139 ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
142 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
144 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
146 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
147 SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
149 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
150 DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
152 ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
153 0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
156 SrcImm | Mov | Stack, 0, SrcImmByte | Mov | Stack, 0,
157 DstDI | ByteOp | Mov | String, DstDI | Mov | String, /* insb, insw/insd */
158 SrcSI | ByteOp | ImplicitOps | String, SrcSI | ImplicitOps | String, /* outsb, outsw/outsd */
160 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
161 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
163 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
164 SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
166 Group | Group1_80, Group | Group1_81,
167 Group | Group1_82, Group | Group1_83,
168 ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
169 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
171 ByteOp | DstMem | SrcReg | ModRM | Mov, DstMem | SrcReg | ModRM | Mov,
172 ByteOp | DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
173 DstMem | SrcNone | ModRM | Mov, ModRM | DstReg,
174 ImplicitOps | SrcMem16 | ModRM, Group | Group1A,
176 DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
178 0, 0, SrcImmFAddr | No64, 0,
179 ImplicitOps | Stack, ImplicitOps | Stack, 0, 0,
181 ByteOp | DstAcc | SrcMem | Mov | MemAbs, DstAcc | SrcMem | Mov | MemAbs,
182 ByteOp | DstMem | SrcAcc | Mov | MemAbs, DstMem | SrcAcc | Mov | MemAbs,
183 ByteOp | SrcSI | DstDI | Mov | String, SrcSI | DstDI | Mov | String,
184 ByteOp | SrcSI | DstDI | String, SrcSI | DstDI | String,
186 DstAcc | SrcImmByte | ByteOp, DstAcc | SrcImm, ByteOp | DstDI | Mov | String, DstDI | Mov | String,
187 ByteOp | SrcSI | DstAcc | Mov | String, SrcSI | DstAcc | Mov | String,
188 ByteOp | DstDI | String, DstDI | String,
190 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
191 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
192 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
193 ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
195 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
196 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
197 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
198 DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
200 ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
201 0, ImplicitOps | Stack, 0, 0,
202 ByteOp | DstMem | SrcImm | ModRM | Mov, DstMem | SrcImm | ModRM | Mov,
204 0, 0, 0, ImplicitOps | Stack,
205 ImplicitOps, SrcImmByte, ImplicitOps | No64, ImplicitOps,
207 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
208 ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
211 0, 0, 0, 0, 0, 0, 0, 0,
214 ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
215 ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
217 SrcImm | Stack, SrcImm | ImplicitOps,
218 SrcImmFAddr | No64, SrcImmByte | ImplicitOps,
219 SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
220 SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
223 ImplicitOps | Priv, ImplicitOps, Group | Group3_Byte, Group | Group3,
225 ImplicitOps, 0, ImplicitOps, ImplicitOps,
226 ImplicitOps, ImplicitOps, Group | Group4, Group | Group5,
229 static u32 twobyte_table[256] = {
231 0, Group | GroupDual | Group7, 0, 0,
232 0, ImplicitOps, ImplicitOps | Priv, 0,
233 ImplicitOps | Priv, ImplicitOps | Priv, 0, 0,
234 0, ImplicitOps | ModRM, 0, 0,
236 0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0,
238 ModRM | ImplicitOps | Priv, ModRM | Priv,
239 ModRM | ImplicitOps | Priv, ModRM | Priv,
241 0, 0, 0, 0, 0, 0, 0, 0,
243 ImplicitOps | Priv, 0, ImplicitOps | Priv, 0,
244 ImplicitOps, ImplicitOps | Priv, 0, 0,
245 0, 0, 0, 0, 0, 0, 0, 0,
247 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
248 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
249 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
250 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
252 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
253 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
254 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
255 DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
257 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
259 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
261 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
263 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
264 SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
266 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
268 ImplicitOps | Stack, ImplicitOps | Stack,
269 0, DstMem | SrcReg | ModRM | BitOp,
270 DstMem | SrcReg | Src2ImmByte | ModRM,
271 DstMem | SrcReg | Src2CL | ModRM, 0, 0,
273 ImplicitOps | Stack, ImplicitOps | Stack,
274 0, DstMem | SrcReg | ModRM | BitOp | Lock,
275 DstMem | SrcReg | Src2ImmByte | ModRM,
276 DstMem | SrcReg | Src2CL | ModRM,
279 ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
280 0, DstMem | SrcReg | ModRM | BitOp | Lock,
281 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
282 DstReg | SrcMem16 | ModRM | Mov,
285 Group | Group8, DstMem | SrcReg | ModRM | BitOp | Lock,
286 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
287 DstReg | SrcMem16 | ModRM | Mov,
289 0, 0, 0, DstMem | SrcReg | ModRM | Mov,
290 0, 0, 0, Group | GroupDual | Group9,
291 0, 0, 0, 0, 0, 0, 0, 0,
293 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
295 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
297 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
300 static u32 group_table[] = {
302 ByteOp | DstMem | SrcImm | ModRM | Lock,
303 ByteOp | DstMem | SrcImm | ModRM | Lock,
304 ByteOp | DstMem | SrcImm | ModRM | Lock,
305 ByteOp | DstMem | SrcImm | ModRM | Lock,
306 ByteOp | DstMem | SrcImm | ModRM | Lock,
307 ByteOp | DstMem | SrcImm | ModRM | Lock,
308 ByteOp | DstMem | SrcImm | ModRM | Lock,
309 ByteOp | DstMem | SrcImm | ModRM,
311 DstMem | SrcImm | ModRM | Lock,
312 DstMem | SrcImm | ModRM | Lock,
313 DstMem | SrcImm | ModRM | Lock,
314 DstMem | SrcImm | ModRM | Lock,
315 DstMem | SrcImm | ModRM | Lock,
316 DstMem | SrcImm | ModRM | Lock,
317 DstMem | SrcImm | ModRM | Lock,
318 DstMem | SrcImm | ModRM,
320 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
321 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
322 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
323 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
324 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
325 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
326 ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
327 ByteOp | DstMem | SrcImm | ModRM | No64,
329 DstMem | SrcImmByte | ModRM | Lock,
330 DstMem | SrcImmByte | ModRM | Lock,
331 DstMem | SrcImmByte | ModRM | Lock,
332 DstMem | SrcImmByte | ModRM | Lock,
333 DstMem | SrcImmByte | ModRM | Lock,
334 DstMem | SrcImmByte | ModRM | Lock,
335 DstMem | SrcImmByte | ModRM | Lock,
336 DstMem | SrcImmByte | ModRM,
338 DstMem | SrcNone | ModRM | Mov | Stack, 0, 0, 0, 0, 0, 0, 0,
340 ByteOp | SrcImm | DstMem | ModRM, ByteOp | SrcImm | DstMem | ModRM,
341 ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
344 DstMem | SrcImm | ModRM, DstMem | SrcImm | ModRM,
345 DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
348 ByteOp | DstMem | SrcNone | ModRM | Lock, ByteOp | DstMem | SrcNone | ModRM | Lock,
351 DstMem | SrcNone | ModRM | Lock, DstMem | SrcNone | ModRM | Lock,
352 SrcMem | ModRM | Stack, 0,
353 SrcMem | ModRM | Stack, SrcMemFAddr | ModRM | ImplicitOps,
354 SrcMem | ModRM | Stack, 0,
356 0, 0, ModRM | SrcMem | Priv, ModRM | SrcMem | Priv,
357 SrcNone | ModRM | DstMem | Mov, 0,
358 SrcMem16 | ModRM | Mov | Priv, SrcMem | ModRM | ByteOp | Priv,
361 DstMem | SrcImmByte | ModRM, DstMem | SrcImmByte | ModRM | Lock,
362 DstMem | SrcImmByte | ModRM | Lock, DstMem | SrcImmByte | ModRM | Lock,
364 0, DstMem64 | ModRM | Lock, 0, 0, 0, 0, 0, 0,
367 static u32 group2_table[] = {
369 SrcNone | ModRM | Priv, 0, 0, SrcNone | ModRM | Priv,
370 SrcNone | ModRM | DstMem | Mov, 0,
371 SrcMem16 | ModRM | Mov | Priv, 0,
373 0, 0, 0, 0, 0, 0, 0, 0,
376 /* EFLAGS bit definitions. */
377 #define EFLG_ID (1<<21)
378 #define EFLG_VIP (1<<20)
379 #define EFLG_VIF (1<<19)
380 #define EFLG_AC (1<<18)
381 #define EFLG_VM (1<<17)
382 #define EFLG_RF (1<<16)
383 #define EFLG_IOPL (3<<12)
384 #define EFLG_NT (1<<14)
385 #define EFLG_OF (1<<11)
386 #define EFLG_DF (1<<10)
387 #define EFLG_IF (1<<9)
388 #define EFLG_TF (1<<8)
389 #define EFLG_SF (1<<7)
390 #define EFLG_ZF (1<<6)
391 #define EFLG_AF (1<<4)
392 #define EFLG_PF (1<<2)
393 #define EFLG_CF (1<<0)
396 * Instruction emulation:
397 * Most instructions are emulated directly via a fragment of inline assembly
398 * code. This allows us to save/restore EFLAGS and thus very easily pick up
399 * any modified flags.
402 #if defined(CONFIG_X86_64)
403 #define _LO32 "k" /* force 32-bit operand */
404 #define _STK "%%rsp" /* stack pointer */
405 #elif defined(__i386__)
406 #define _LO32 "" /* force 32-bit operand */
407 #define _STK "%%esp" /* stack pointer */
411 * These EFLAGS bits are restored from saved value during emulation, and
412 * any changes are written back to the saved value after emulation.
414 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
416 /* Before executing instruction: restore necessary bits in EFLAGS. */
417 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
418 /* EFLAGS = (_sav & _msk) | (EFLAGS & ~_msk); _sav &= ~_msk; */ \
419 "movl %"_sav",%"_LO32 _tmp"; " \
422 "movl %"_msk",%"_LO32 _tmp"; " \
423 "andl %"_LO32 _tmp",("_STK"); " \
425 "notl %"_LO32 _tmp"; " \
426 "andl %"_LO32 _tmp",("_STK"); " \
427 "andl %"_LO32 _tmp","__stringify(BITS_PER_LONG/4)"("_STK"); " \
429 "orl %"_LO32 _tmp",("_STK"); " \
433 /* After executing instruction: write-back necessary bits in EFLAGS. */
434 #define _POST_EFLAGS(_sav, _msk, _tmp) \
435 /* _sav |= EFLAGS & _msk; */ \
438 "andl %"_msk",%"_LO32 _tmp"; " \
439 "orl %"_LO32 _tmp",%"_sav"; "
447 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
449 __asm__ __volatile__ ( \
450 _PRE_EFLAGS("0", "4", "2") \
451 _op _suffix " %"_x"3,%1; " \
452 _POST_EFLAGS("0", "4", "2") \
453 : "=m" (_eflags), "=m" ((_dst).val), \
455 : _y ((_src).val), "i" (EFLAGS_MASK)); \
459 /* Raw emulation: instruction has two explicit operands. */
460 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
462 unsigned long _tmp; \
464 switch ((_dst).bytes) { \
466 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
469 ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
472 ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
477 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
479 unsigned long _tmp; \
480 switch ((_dst).bytes) { \
482 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
485 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
486 _wx, _wy, _lx, _ly, _qx, _qy); \
491 /* Source operand is byte-sized and may be restricted to just %cl. */
492 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
493 __emulate_2op(_op, _src, _dst, _eflags, \
494 "b", "c", "b", "c", "b", "c", "b", "c")
496 /* Source operand is byte, word, long or quad sized. */
497 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
498 __emulate_2op(_op, _src, _dst, _eflags, \
499 "b", "q", "w", "r", _LO32, "r", "", "r")
501 /* Source operand is word, long or quad sized. */
502 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
503 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
504 "w", "r", _LO32, "r", "", "r")
506 /* Instruction has three operands and one operand is stored in ECX register */
507 #define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
509 unsigned long _tmp; \
510 _type _clv = (_cl).val; \
511 _type _srcv = (_src).val; \
512 _type _dstv = (_dst).val; \
514 __asm__ __volatile__ ( \
515 _PRE_EFLAGS("0", "5", "2") \
516 _op _suffix " %4,%1 \n" \
517 _POST_EFLAGS("0", "5", "2") \
518 : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp) \
519 : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK) \
522 (_cl).val = (unsigned long) _clv; \
523 (_src).val = (unsigned long) _srcv; \
524 (_dst).val = (unsigned long) _dstv; \
527 #define emulate_2op_cl(_op, _cl, _src, _dst, _eflags) \
529 switch ((_dst).bytes) { \
531 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
532 "w", unsigned short); \
535 __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
536 "l", unsigned int); \
539 ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
540 "q", unsigned long)); \
545 #define __emulate_1op(_op, _dst, _eflags, _suffix) \
547 unsigned long _tmp; \
549 __asm__ __volatile__ ( \
550 _PRE_EFLAGS("0", "3", "2") \
551 _op _suffix " %1; " \
552 _POST_EFLAGS("0", "3", "2") \
553 : "=m" (_eflags), "+m" ((_dst).val), \
555 : "i" (EFLAGS_MASK)); \
558 /* Instruction has only one explicit operand (no source operand). */
559 #define emulate_1op(_op, _dst, _eflags) \
561 switch ((_dst).bytes) { \
562 case 1: __emulate_1op(_op, _dst, _eflags, "b"); break; \
563 case 2: __emulate_1op(_op, _dst, _eflags, "w"); break; \
564 case 4: __emulate_1op(_op, _dst, _eflags, "l"); break; \
565 case 8: ON64(__emulate_1op(_op, _dst, _eflags, "q")); break; \
569 /* Fetch next part of the instruction being emulated. */
570 #define insn_fetch(_type, _size, _eip) \
571 ({ unsigned long _x; \
572 rc = do_insn_fetch(ctxt, ops, (_eip), &_x, (_size)); \
573 if (rc != X86EMUL_CONTINUE) \
579 #define insn_fetch_arr(_arr, _size, _eip) \
580 ({ rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size)); \
581 if (rc != X86EMUL_CONTINUE) \
586 static inline unsigned long ad_mask(struct decode_cache *c)
588 return (1UL << (c->ad_bytes << 3)) - 1;
591 /* Access/update address held in a register, based on addressing mode. */
592 static inline unsigned long
593 address_mask(struct decode_cache *c, unsigned long reg)
595 if (c->ad_bytes == sizeof(unsigned long))
598 return reg & ad_mask(c);
601 static inline unsigned long
602 register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
604 return base + address_mask(c, reg);
608 register_address_increment(struct decode_cache *c, unsigned long *reg, int inc)
610 if (c->ad_bytes == sizeof(unsigned long))
613 *reg = (*reg & ~ad_mask(c)) | ((*reg + inc) & ad_mask(c));
616 static inline void jmp_rel(struct decode_cache *c, int rel)
618 register_address_increment(c, &c->eip, rel);
621 static void set_seg_override(struct decode_cache *c, int seg)
623 c->has_seg_override = true;
624 c->seg_override = seg;
627 static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
628 struct x86_emulate_ops *ops, int seg)
630 if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
633 return ops->get_cached_segment_base(seg, ctxt->vcpu);
636 static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
637 struct x86_emulate_ops *ops,
638 struct decode_cache *c)
640 if (!c->has_seg_override)
643 return seg_base(ctxt, ops, c->seg_override);
646 static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
647 struct x86_emulate_ops *ops)
649 return seg_base(ctxt, ops, VCPU_SREG_ES);
652 static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
653 struct x86_emulate_ops *ops)
655 return seg_base(ctxt, ops, VCPU_SREG_SS);
658 static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
659 u32 error, bool valid)
661 ctxt->exception = vec;
662 ctxt->error_code = error;
663 ctxt->error_code_valid = valid;
664 ctxt->restart = false;
667 static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
669 emulate_exception(ctxt, GP_VECTOR, err, true);
672 static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
676 emulate_exception(ctxt, PF_VECTOR, err, true);
679 static void emulate_ud(struct x86_emulate_ctxt *ctxt)
681 emulate_exception(ctxt, UD_VECTOR, 0, false);
684 static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
686 emulate_exception(ctxt, TS_VECTOR, err, true);
689 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
690 struct x86_emulate_ops *ops,
691 unsigned long eip, u8 *dest)
693 struct fetch_cache *fc = &ctxt->decode.fetch;
697 if (eip == fc->end) {
698 cur_size = fc->end - fc->start;
699 size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
700 rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
701 size, ctxt->vcpu, NULL);
702 if (rc != X86EMUL_CONTINUE)
706 *dest = fc->data[eip - fc->start];
707 return X86EMUL_CONTINUE;
710 static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
711 struct x86_emulate_ops *ops,
712 unsigned long eip, void *dest, unsigned size)
716 /* x86 instructions are limited to 15 bytes. */
717 if (eip + size - ctxt->eip > 15)
718 return X86EMUL_UNHANDLEABLE;
720 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
721 if (rc != X86EMUL_CONTINUE)
724 return X86EMUL_CONTINUE;
728 * Given the 'reg' portion of a ModRM byte, and a register block, return a
729 * pointer into the block that addresses the relevant register.
730 * @highbyte_regs specifies whether to decode AH,CH,DH,BH.
732 static void *decode_register(u8 modrm_reg, unsigned long *regs,
737 p = ®s[modrm_reg];
738 if (highbyte_regs && modrm_reg >= 4 && modrm_reg < 8)
739 p = (unsigned char *)®s[modrm_reg & 3] + 1;
743 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
744 struct x86_emulate_ops *ops,
746 u16 *size, unsigned long *address, int op_bytes)
753 rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
755 if (rc != X86EMUL_CONTINUE)
757 rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
762 static int test_cc(unsigned int condition, unsigned int flags)
766 switch ((condition & 15) >> 1) {
768 rc |= (flags & EFLG_OF);
770 case 1: /* b/c/nae */
771 rc |= (flags & EFLG_CF);
774 rc |= (flags & EFLG_ZF);
777 rc |= (flags & (EFLG_CF|EFLG_ZF));
780 rc |= (flags & EFLG_SF);
783 rc |= (flags & EFLG_PF);
786 rc |= (flags & EFLG_ZF);
789 rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
793 /* Odd condition identifiers (lsb == 1) have inverted sense. */
794 return (!!rc ^ (condition & 1));
797 static void decode_register_operand(struct operand *op,
798 struct decode_cache *c,
801 unsigned reg = c->modrm_reg;
802 int highbyte_regs = c->rex_prefix == 0;
805 reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
807 if ((c->d & ByteOp) && !inhibit_bytereg) {
808 op->ptr = decode_register(reg, c->regs, highbyte_regs);
809 op->val = *(u8 *)op->ptr;
812 op->ptr = decode_register(reg, c->regs, 0);
813 op->bytes = c->op_bytes;
816 op->val = *(u16 *)op->ptr;
819 op->val = *(u32 *)op->ptr;
822 op->val = *(u64 *) op->ptr;
826 op->orig_val = op->val;
829 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
830 struct x86_emulate_ops *ops)
832 struct decode_cache *c = &ctxt->decode;
834 int index_reg = 0, base_reg = 0, scale;
835 int rc = X86EMUL_CONTINUE;
838 c->modrm_reg = (c->rex_prefix & 4) << 1; /* REX.R */
839 index_reg = (c->rex_prefix & 2) << 2; /* REX.X */
840 c->modrm_rm = base_reg = (c->rex_prefix & 1) << 3; /* REG.B */
843 c->modrm = insn_fetch(u8, 1, c->eip);
844 c->modrm_mod |= (c->modrm & 0xc0) >> 6;
845 c->modrm_reg |= (c->modrm & 0x38) >> 3;
846 c->modrm_rm |= (c->modrm & 0x07);
850 if (c->modrm_mod == 3) {
851 c->modrm_ptr = decode_register(c->modrm_rm,
852 c->regs, c->d & ByteOp);
853 c->modrm_val = *(unsigned long *)c->modrm_ptr;
857 if (c->ad_bytes == 2) {
858 unsigned bx = c->regs[VCPU_REGS_RBX];
859 unsigned bp = c->regs[VCPU_REGS_RBP];
860 unsigned si = c->regs[VCPU_REGS_RSI];
861 unsigned di = c->regs[VCPU_REGS_RDI];
863 /* 16-bit ModR/M decode. */
864 switch (c->modrm_mod) {
866 if (c->modrm_rm == 6)
867 c->modrm_ea += insn_fetch(u16, 2, c->eip);
870 c->modrm_ea += insn_fetch(s8, 1, c->eip);
873 c->modrm_ea += insn_fetch(u16, 2, c->eip);
876 switch (c->modrm_rm) {
878 c->modrm_ea += bx + si;
881 c->modrm_ea += bx + di;
884 c->modrm_ea += bp + si;
887 c->modrm_ea += bp + di;
896 if (c->modrm_mod != 0)
903 if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
904 (c->modrm_rm == 6 && c->modrm_mod != 0))
905 if (!c->has_seg_override)
906 set_seg_override(c, VCPU_SREG_SS);
907 c->modrm_ea = (u16)c->modrm_ea;
909 /* 32/64-bit ModR/M decode. */
910 if ((c->modrm_rm & 7) == 4) {
911 sib = insn_fetch(u8, 1, c->eip);
912 index_reg |= (sib >> 3) & 7;
916 if ((base_reg & 7) == 5 && c->modrm_mod == 0)
917 c->modrm_ea += insn_fetch(s32, 4, c->eip);
919 c->modrm_ea += c->regs[base_reg];
921 c->modrm_ea += c->regs[index_reg] << scale;
922 } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
923 if (ctxt->mode == X86EMUL_MODE_PROT64)
926 c->modrm_ea += c->regs[c->modrm_rm];
927 switch (c->modrm_mod) {
929 if (c->modrm_rm == 5)
930 c->modrm_ea += insn_fetch(s32, 4, c->eip);
933 c->modrm_ea += insn_fetch(s8, 1, c->eip);
936 c->modrm_ea += insn_fetch(s32, 4, c->eip);
944 static int decode_abs(struct x86_emulate_ctxt *ctxt,
945 struct x86_emulate_ops *ops)
947 struct decode_cache *c = &ctxt->decode;
948 int rc = X86EMUL_CONTINUE;
950 switch (c->ad_bytes) {
952 c->modrm_ea = insn_fetch(u16, 2, c->eip);
955 c->modrm_ea = insn_fetch(u32, 4, c->eip);
958 c->modrm_ea = insn_fetch(u64, 8, c->eip);
966 x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
968 struct decode_cache *c = &ctxt->decode;
969 int rc = X86EMUL_CONTINUE;
970 int mode = ctxt->mode;
971 int def_op_bytes, def_ad_bytes, group;
974 /* we cannot decode insn before we complete previous rep insn */
975 WARN_ON(ctxt->restart);
978 c->fetch.start = c->fetch.end = c->eip;
979 ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
982 case X86EMUL_MODE_REAL:
983 case X86EMUL_MODE_VM86:
984 case X86EMUL_MODE_PROT16:
985 def_op_bytes = def_ad_bytes = 2;
987 case X86EMUL_MODE_PROT32:
988 def_op_bytes = def_ad_bytes = 4;
991 case X86EMUL_MODE_PROT64:
1000 c->op_bytes = def_op_bytes;
1001 c->ad_bytes = def_ad_bytes;
1003 /* Legacy prefixes. */
1005 switch (c->b = insn_fetch(u8, 1, c->eip)) {
1006 case 0x66: /* operand-size override */
1007 /* switch between 2/4 bytes */
1008 c->op_bytes = def_op_bytes ^ 6;
1010 case 0x67: /* address-size override */
1011 if (mode == X86EMUL_MODE_PROT64)
1012 /* switch between 4/8 bytes */
1013 c->ad_bytes = def_ad_bytes ^ 12;
1015 /* switch between 2/4 bytes */
1016 c->ad_bytes = def_ad_bytes ^ 6;
1018 case 0x26: /* ES override */
1019 case 0x2e: /* CS override */
1020 case 0x36: /* SS override */
1021 case 0x3e: /* DS override */
1022 set_seg_override(c, (c->b >> 3) & 3);
1024 case 0x64: /* FS override */
1025 case 0x65: /* GS override */
1026 set_seg_override(c, c->b & 7);
1028 case 0x40 ... 0x4f: /* REX */
1029 if (mode != X86EMUL_MODE_PROT64)
1031 c->rex_prefix = c->b;
1033 case 0xf0: /* LOCK */
1036 case 0xf2: /* REPNE/REPNZ */
1037 c->rep_prefix = REPNE_PREFIX;
1039 case 0xf3: /* REP/REPE/REPZ */
1040 c->rep_prefix = REPE_PREFIX;
1046 /* Any legacy prefix after a REX prefix nullifies its effect. */
1055 if (c->rex_prefix & 8)
1056 c->op_bytes = 8; /* REX.W */
1058 /* Opcode byte(s). */
1059 c->d = opcode_table[c->b];
1061 /* Two-byte opcode? */
1064 c->b = insn_fetch(u8, 1, c->eip);
1065 c->d = twobyte_table[c->b];
1070 group = c->d & GroupMask;
1071 c->modrm = insn_fetch(u8, 1, c->eip);
1074 group = (group << 3) + ((c->modrm >> 3) & 7);
1075 if ((c->d & GroupDual) && (c->modrm >> 6) == 3)
1076 c->d = group2_table[group];
1078 c->d = group_table[group];
1083 DPRINTF("Cannot emulate %02x\n", c->b);
1087 if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
1090 /* ModRM and SIB bytes. */
1092 rc = decode_modrm(ctxt, ops);
1093 else if (c->d & MemAbs)
1094 rc = decode_abs(ctxt, ops);
1095 if (rc != X86EMUL_CONTINUE)
1098 if (!c->has_seg_override)
1099 set_seg_override(c, VCPU_SREG_DS);
1101 if (!(!c->twobyte && c->b == 0x8d))
1102 c->modrm_ea += seg_override_base(ctxt, ops, c);
1104 if (c->ad_bytes != 8)
1105 c->modrm_ea = (u32)c->modrm_ea;
1107 if (c->rip_relative)
1108 c->modrm_ea += c->eip;
1111 * Decode and fetch the source operand: register, memory
1114 switch (c->d & SrcMask) {
1118 decode_register_operand(&c->src, c, 0);
1127 c->src.bytes = (c->d & ByteOp) ? 1 :
1129 /* Don't fetch the address for invlpg: it could be unmapped. */
1130 if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
1134 * For instructions with a ModR/M byte, switch to register
1135 * access if Mod = 3.
1137 if ((c->d & ModRM) && c->modrm_mod == 3) {
1138 c->src.type = OP_REG;
1139 c->src.val = c->modrm_val;
1140 c->src.ptr = c->modrm_ptr;
1143 c->src.type = OP_MEM;
1144 c->src.ptr = (unsigned long *)c->modrm_ea;
1149 c->src.type = OP_IMM;
1150 c->src.ptr = (unsigned long *)c->eip;
1151 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1152 if (c->src.bytes == 8)
1154 /* NB. Immediates are sign-extended as necessary. */
1155 switch (c->src.bytes) {
1157 c->src.val = insn_fetch(s8, 1, c->eip);
1160 c->src.val = insn_fetch(s16, 2, c->eip);
1163 c->src.val = insn_fetch(s32, 4, c->eip);
1166 if ((c->d & SrcMask) == SrcImmU) {
1167 switch (c->src.bytes) {
1172 c->src.val &= 0xffff;
1175 c->src.val &= 0xffffffff;
1182 c->src.type = OP_IMM;
1183 c->src.ptr = (unsigned long *)c->eip;
1185 if ((c->d & SrcMask) == SrcImmByte)
1186 c->src.val = insn_fetch(s8, 1, c->eip);
1188 c->src.val = insn_fetch(u8, 1, c->eip);
1191 c->src.type = OP_REG;
1192 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1193 c->src.ptr = &c->regs[VCPU_REGS_RAX];
1194 switch (c->src.bytes) {
1196 c->src.val = *(u8 *)c->src.ptr;
1199 c->src.val = *(u16 *)c->src.ptr;
1202 c->src.val = *(u32 *)c->src.ptr;
1205 c->src.val = *(u64 *)c->src.ptr;
1214 c->src.type = OP_MEM;
1215 c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1216 c->src.ptr = (unsigned long *)
1217 register_address(c, seg_override_base(ctxt, ops, c),
1218 c->regs[VCPU_REGS_RSI]);
1222 c->src.type = OP_IMM;
1223 c->src.ptr = (unsigned long *)c->eip;
1224 c->src.bytes = c->op_bytes + 2;
1225 insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
1228 c->src.type = OP_MEM;
1229 c->src.ptr = (unsigned long *)c->modrm_ea;
1230 c->src.bytes = c->op_bytes + 2;
1235 * Decode and fetch the second source operand: register, memory
1238 switch (c->d & Src2Mask) {
1243 c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
1246 c->src2.type = OP_IMM;
1247 c->src2.ptr = (unsigned long *)c->eip;
1249 c->src2.val = insn_fetch(u8, 1, c->eip);
1257 /* Decode and fetch the destination operand: register or memory. */
1258 switch (c->d & DstMask) {
1260 /* Special instructions do their own operand decoding. */
1263 decode_register_operand(&c->dst, c,
1264 c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
1268 if ((c->d & ModRM) && c->modrm_mod == 3) {
1269 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1270 c->dst.type = OP_REG;
1271 c->dst.val = c->dst.orig_val = c->modrm_val;
1272 c->dst.ptr = c->modrm_ptr;
1275 c->dst.type = OP_MEM;
1276 c->dst.ptr = (unsigned long *)c->modrm_ea;
1277 if ((c->d & DstMask) == DstMem64)
1280 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1283 unsigned long mask = ~(c->dst.bytes * 8 - 1);
1285 c->dst.ptr = (void *)c->dst.ptr +
1286 (c->src.val & mask) / 8;
1290 c->dst.type = OP_REG;
1291 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1292 c->dst.ptr = &c->regs[VCPU_REGS_RAX];
1293 switch (c->dst.bytes) {
1295 c->dst.val = *(u8 *)c->dst.ptr;
1298 c->dst.val = *(u16 *)c->dst.ptr;
1301 c->dst.val = *(u32 *)c->dst.ptr;
1304 c->dst.val = *(u64 *)c->dst.ptr;
1307 c->dst.orig_val = c->dst.val;
1310 c->dst.type = OP_MEM;
1311 c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
1312 c->dst.ptr = (unsigned long *)
1313 register_address(c, es_base(ctxt, ops),
1314 c->regs[VCPU_REGS_RDI]);
1320 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
1323 static int read_emulated(struct x86_emulate_ctxt *ctxt,
1324 struct x86_emulate_ops *ops,
1325 unsigned long addr, void *dest, unsigned size)
1328 struct read_cache *mc = &ctxt->decode.mem_read;
1332 int n = min(size, 8u);
1334 if (mc->pos < mc->end)
1337 rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
1339 if (rc == X86EMUL_PROPAGATE_FAULT)
1340 emulate_pf(ctxt, addr, err);
1341 if (rc != X86EMUL_CONTINUE)
1346 memcpy(dest, mc->data + mc->pos, n);
1351 return X86EMUL_CONTINUE;
1354 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
1355 struct x86_emulate_ops *ops,
1356 unsigned int size, unsigned short port,
1359 struct read_cache *rc = &ctxt->decode.io_read;
1361 if (rc->pos == rc->end) { /* refill pio read ahead */
1362 struct decode_cache *c = &ctxt->decode;
1363 unsigned int in_page, n;
1364 unsigned int count = c->rep_prefix ?
1365 address_mask(c, c->regs[VCPU_REGS_RCX]) : 1;
1366 in_page = (ctxt->eflags & EFLG_DF) ?
1367 offset_in_page(c->regs[VCPU_REGS_RDI]) :
1368 PAGE_SIZE - offset_in_page(c->regs[VCPU_REGS_RDI]);
1369 n = min(min(in_page, (unsigned int)sizeof(rc->data)) / size,
1373 rc->pos = rc->end = 0;
1374 if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
1379 memcpy(dest, rc->data + rc->pos, size);
1384 static u32 desc_limit_scaled(struct desc_struct *desc)
1386 u32 limit = get_desc_limit(desc);
1388 return desc->g ? (limit << 12) | 0xfff : limit;
1391 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
1392 struct x86_emulate_ops *ops,
1393 u16 selector, struct desc_ptr *dt)
1395 if (selector & 1 << 2) {
1396 struct desc_struct desc;
1397 memset (dt, 0, sizeof *dt);
1398 if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
1401 dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
1402 dt->address = get_desc_base(&desc);
1404 ops->get_gdt(dt, ctxt->vcpu);
1407 /* allowed just for 8 bytes segments */
1408 static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1409 struct x86_emulate_ops *ops,
1410 u16 selector, struct desc_struct *desc)
1413 u16 index = selector >> 3;
1418 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1420 if (dt.size < index * 8 + 7) {
1421 emulate_gp(ctxt, selector & 0xfffc);
1422 return X86EMUL_PROPAGATE_FAULT;
1424 addr = dt.address + index * 8;
1425 ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1426 if (ret == X86EMUL_PROPAGATE_FAULT)
1427 emulate_pf(ctxt, addr, err);
1432 /* allowed just for 8 bytes segments */
1433 static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1434 struct x86_emulate_ops *ops,
1435 u16 selector, struct desc_struct *desc)
1438 u16 index = selector >> 3;
1443 get_descriptor_table_ptr(ctxt, ops, selector, &dt);
1445 if (dt.size < index * 8 + 7) {
1446 emulate_gp(ctxt, selector & 0xfffc);
1447 return X86EMUL_PROPAGATE_FAULT;
1450 addr = dt.address + index * 8;
1451 ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
1452 if (ret == X86EMUL_PROPAGATE_FAULT)
1453 emulate_pf(ctxt, addr, err);
1458 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1459 struct x86_emulate_ops *ops,
1460 u16 selector, int seg)
1462 struct desc_struct seg_desc;
1464 unsigned err_vec = GP_VECTOR;
1466 bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1469 memset(&seg_desc, 0, sizeof seg_desc);
1471 if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
1472 || ctxt->mode == X86EMUL_MODE_REAL) {
1473 /* set real mode segment descriptor */
1474 set_desc_base(&seg_desc, selector << 4);
1475 set_desc_limit(&seg_desc, 0xffff);
1482 /* NULL selector is not valid for TR, CS and SS */
1483 if ((seg == VCPU_SREG_CS || seg == VCPU_SREG_SS || seg == VCPU_SREG_TR)
1487 /* TR should be in GDT only */
1488 if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
1491 if (null_selector) /* for NULL selector skip all following checks */
1494 ret = read_segment_descriptor(ctxt, ops, selector, &seg_desc);
1495 if (ret != X86EMUL_CONTINUE)
1498 err_code = selector & 0xfffc;
1499 err_vec = GP_VECTOR;
1501 /* can't load system descriptor into segment selecor */
1502 if (seg <= VCPU_SREG_GS && !seg_desc.s)
1506 err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR;
1512 cpl = ops->cpl(ctxt->vcpu);
1517 * segment is not a writable data segment or segment
1518 * selector's RPL != CPL or segment selector's RPL != CPL
1520 if (rpl != cpl || (seg_desc.type & 0xa) != 0x2 || dpl != cpl)
1524 if (!(seg_desc.type & 8))
1527 if (seg_desc.type & 4) {
1533 if (rpl > cpl || dpl != cpl)
1536 /* CS(RPL) <- CPL */
1537 selector = (selector & 0xfffc) | cpl;
1540 if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
1543 case VCPU_SREG_LDTR:
1544 if (seg_desc.s || seg_desc.type != 2)
1547 default: /* DS, ES, FS, or GS */
1549 * segment is not a data or readable code segment or
1550 * ((segment is a data or nonconforming code segment)
1551 * and (both RPL and CPL > DPL))
1553 if ((seg_desc.type & 0xa) == 0x8 ||
1554 (((seg_desc.type & 0xc) != 0xc) &&
1555 (rpl > dpl && cpl > dpl)))
1561 /* mark segment as accessed */
1563 ret = write_segment_descriptor(ctxt, ops, selector, &seg_desc);
1564 if (ret != X86EMUL_CONTINUE)
1568 ops->set_segment_selector(selector, seg, ctxt->vcpu);
1569 ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
1570 return X86EMUL_CONTINUE;
1572 emulate_exception(ctxt, err_vec, err_code, true);
1573 return X86EMUL_PROPAGATE_FAULT;
1576 static inline int writeback(struct x86_emulate_ctxt *ctxt,
1577 struct x86_emulate_ops *ops)
1580 struct decode_cache *c = &ctxt->decode;
1583 switch (c->dst.type) {
1585 /* The 4-byte case *is* correct:
1586 * in 64-bit mode we zero-extend.
1588 switch (c->dst.bytes) {
1590 *(u8 *)c->dst.ptr = (u8)c->dst.val;
1593 *(u16 *)c->dst.ptr = (u16)c->dst.val;
1596 *c->dst.ptr = (u32)c->dst.val;
1597 break; /* 64b: zero-ext */
1599 *c->dst.ptr = c->dst.val;
1605 rc = ops->cmpxchg_emulated(
1606 (unsigned long)c->dst.ptr,
1613 rc = ops->write_emulated(
1614 (unsigned long)c->dst.ptr,
1619 if (rc == X86EMUL_PROPAGATE_FAULT)
1621 (unsigned long)c->dst.ptr, err);
1622 if (rc != X86EMUL_CONTINUE)
1631 return X86EMUL_CONTINUE;
1634 static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
1635 struct x86_emulate_ops *ops)
1637 struct decode_cache *c = &ctxt->decode;
1639 c->dst.type = OP_MEM;
1640 c->dst.bytes = c->op_bytes;
1641 c->dst.val = c->src.val;
1642 register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
1643 c->dst.ptr = (void *) register_address(c, ss_base(ctxt, ops),
1644 c->regs[VCPU_REGS_RSP]);
1647 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
1648 struct x86_emulate_ops *ops,
1649 void *dest, int len)
1651 struct decode_cache *c = &ctxt->decode;
1654 rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
1655 c->regs[VCPU_REGS_RSP]),
1657 if (rc != X86EMUL_CONTINUE)
1660 register_address_increment(c, &c->regs[VCPU_REGS_RSP], len);
1664 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
1665 struct x86_emulate_ops *ops,
1666 void *dest, int len)
1669 unsigned long val, change_mask;
1670 int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
1671 int cpl = ops->cpl(ctxt->vcpu);
1673 rc = emulate_pop(ctxt, ops, &val, len);
1674 if (rc != X86EMUL_CONTINUE)
1677 change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
1678 | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
1680 switch(ctxt->mode) {
1681 case X86EMUL_MODE_PROT64:
1682 case X86EMUL_MODE_PROT32:
1683 case X86EMUL_MODE_PROT16:
1685 change_mask |= EFLG_IOPL;
1687 change_mask |= EFLG_IF;
1689 case X86EMUL_MODE_VM86:
1691 emulate_gp(ctxt, 0);
1692 return X86EMUL_PROPAGATE_FAULT;
1694 change_mask |= EFLG_IF;
1696 default: /* real mode */
1697 change_mask |= (EFLG_IOPL | EFLG_IF);
1701 *(unsigned long *)dest =
1702 (ctxt->eflags & ~change_mask) | (val & change_mask);
1707 static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
1708 struct x86_emulate_ops *ops, int seg)
1710 struct decode_cache *c = &ctxt->decode;
1712 c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
1714 emulate_push(ctxt, ops);
1717 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
1718 struct x86_emulate_ops *ops, int seg)
1720 struct decode_cache *c = &ctxt->decode;
1721 unsigned long selector;
1724 rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
1725 if (rc != X86EMUL_CONTINUE)
1728 rc = load_segment_descriptor(ctxt, ops, (u16)selector, seg);
1732 static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
1733 struct x86_emulate_ops *ops)
1735 struct decode_cache *c = &ctxt->decode;
1736 unsigned long old_esp = c->regs[VCPU_REGS_RSP];
1737 int rc = X86EMUL_CONTINUE;
1738 int reg = VCPU_REGS_RAX;
1740 while (reg <= VCPU_REGS_RDI) {
1741 (reg == VCPU_REGS_RSP) ?
1742 (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
1744 emulate_push(ctxt, ops);
1746 rc = writeback(ctxt, ops);
1747 if (rc != X86EMUL_CONTINUE)
1753 /* Disable writeback. */
1754 c->dst.type = OP_NONE;
1759 static int emulate_popa(struct x86_emulate_ctxt *ctxt,
1760 struct x86_emulate_ops *ops)
1762 struct decode_cache *c = &ctxt->decode;
1763 int rc = X86EMUL_CONTINUE;
1764 int reg = VCPU_REGS_RDI;
1766 while (reg >= VCPU_REGS_RAX) {
1767 if (reg == VCPU_REGS_RSP) {
1768 register_address_increment(c, &c->regs[VCPU_REGS_RSP],
1773 rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
1774 if (rc != X86EMUL_CONTINUE)
1781 static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
1782 struct x86_emulate_ops *ops)
1784 struct decode_cache *c = &ctxt->decode;
1786 return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
1789 static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
1791 struct decode_cache *c = &ctxt->decode;
1792 switch (c->modrm_reg) {
1794 emulate_2op_SrcB("rol", c->src, c->dst, ctxt->eflags);
1797 emulate_2op_SrcB("ror", c->src, c->dst, ctxt->eflags);
1800 emulate_2op_SrcB("rcl", c->src, c->dst, ctxt->eflags);
1803 emulate_2op_SrcB("rcr", c->src, c->dst, ctxt->eflags);
1805 case 4: /* sal/shl */
1806 case 6: /* sal/shl */
1807 emulate_2op_SrcB("sal", c->src, c->dst, ctxt->eflags);
1810 emulate_2op_SrcB("shr", c->src, c->dst, ctxt->eflags);
1813 emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
1818 static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
1819 struct x86_emulate_ops *ops)
1821 struct decode_cache *c = &ctxt->decode;
1823 switch (c->modrm_reg) {
1824 case 0 ... 1: /* test */
1825 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
1828 c->dst.val = ~c->dst.val;
1831 emulate_1op("neg", c->dst, ctxt->eflags);
1839 static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
1840 struct x86_emulate_ops *ops)
1842 struct decode_cache *c = &ctxt->decode;
1844 switch (c->modrm_reg) {
1846 emulate_1op("inc", c->dst, ctxt->eflags);
1849 emulate_1op("dec", c->dst, ctxt->eflags);
1851 case 2: /* call near abs */ {
1854 c->eip = c->src.val;
1855 c->src.val = old_eip;
1856 emulate_push(ctxt, ops);
1859 case 4: /* jmp abs */
1860 c->eip = c->src.val;
1863 emulate_push(ctxt, ops);
1866 return X86EMUL_CONTINUE;
1869 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
1870 struct x86_emulate_ops *ops)
1872 struct decode_cache *c = &ctxt->decode;
1873 u64 old = c->dst.orig_val64;
1875 if (((u32) (old >> 0) != (u32) c->regs[VCPU_REGS_RAX]) ||
1876 ((u32) (old >> 32) != (u32) c->regs[VCPU_REGS_RDX])) {
1877 c->regs[VCPU_REGS_RAX] = (u32) (old >> 0);
1878 c->regs[VCPU_REGS_RDX] = (u32) (old >> 32);
1879 ctxt->eflags &= ~EFLG_ZF;
1881 c->dst.val64 = ((u64)c->regs[VCPU_REGS_RCX] << 32) |
1882 (u32) c->regs[VCPU_REGS_RBX];
1884 ctxt->eflags |= EFLG_ZF;
1886 return X86EMUL_CONTINUE;
1889 static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
1890 struct x86_emulate_ops *ops)
1892 struct decode_cache *c = &ctxt->decode;
1896 rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
1897 if (rc != X86EMUL_CONTINUE)
1899 if (c->op_bytes == 4)
1900 c->eip = (u32)c->eip;
1901 rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
1902 if (rc != X86EMUL_CONTINUE)
1904 rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
1909 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
1910 struct x86_emulate_ops *ops, struct desc_struct *cs,
1911 struct desc_struct *ss)
1913 memset(cs, 0, sizeof(struct desc_struct));
1914 ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
1915 memset(ss, 0, sizeof(struct desc_struct));
1917 cs->l = 0; /* will be adjusted later */
1918 set_desc_base(cs, 0); /* flat segment */
1919 cs->g = 1; /* 4kb granularity */
1920 set_desc_limit(cs, 0xfffff); /* 4GB limit */
1921 cs->type = 0x0b; /* Read, Execute, Accessed */
1923 cs->dpl = 0; /* will be adjusted later */
1927 set_desc_base(ss, 0); /* flat segment */
1928 set_desc_limit(ss, 0xfffff); /* 4GB limit */
1929 ss->g = 1; /* 4kb granularity */
1931 ss->type = 0x03; /* Read/Write, Accessed */
1932 ss->d = 1; /* 32bit stack segment */
1938 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1940 struct decode_cache *c = &ctxt->decode;
1941 struct desc_struct cs, ss;
1945 /* syscall is not available in real mode */
1946 if (ctxt->mode == X86EMUL_MODE_REAL ||
1947 ctxt->mode == X86EMUL_MODE_VM86) {
1949 return X86EMUL_PROPAGATE_FAULT;
1952 setup_syscalls_segments(ctxt, ops, &cs, &ss);
1954 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1956 cs_sel = (u16)(msr_data & 0xfffc);
1957 ss_sel = (u16)(msr_data + 8);
1959 if (is_long_mode(ctxt->vcpu)) {
1963 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
1964 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
1965 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
1966 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
1968 c->regs[VCPU_REGS_RCX] = c->eip;
1969 if (is_long_mode(ctxt->vcpu)) {
1970 #ifdef CONFIG_X86_64
1971 c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
1973 ops->get_msr(ctxt->vcpu,
1974 ctxt->mode == X86EMUL_MODE_PROT64 ?
1975 MSR_LSTAR : MSR_CSTAR, &msr_data);
1978 ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
1979 ctxt->eflags &= ~(msr_data | EFLG_RF);
1983 ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
1984 c->eip = (u32)msr_data;
1986 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
1989 return X86EMUL_CONTINUE;
1993 emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
1995 struct decode_cache *c = &ctxt->decode;
1996 struct desc_struct cs, ss;
2000 /* inject #GP if in real mode */
2001 if (ctxt->mode == X86EMUL_MODE_REAL) {
2002 emulate_gp(ctxt, 0);
2003 return X86EMUL_PROPAGATE_FAULT;
2006 /* XXX sysenter/sysexit have not been tested in 64bit mode.
2007 * Therefore, we inject an #UD.
2009 if (ctxt->mode == X86EMUL_MODE_PROT64) {
2011 return X86EMUL_PROPAGATE_FAULT;
2014 setup_syscalls_segments(ctxt, ops, &cs, &ss);
2016 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
2017 switch (ctxt->mode) {
2018 case X86EMUL_MODE_PROT32:
2019 if ((msr_data & 0xfffc) == 0x0) {
2020 emulate_gp(ctxt, 0);
2021 return X86EMUL_PROPAGATE_FAULT;
2024 case X86EMUL_MODE_PROT64:
2025 if (msr_data == 0x0) {
2026 emulate_gp(ctxt, 0);
2027 return X86EMUL_PROPAGATE_FAULT;
2032 ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
2033 cs_sel = (u16)msr_data;
2034 cs_sel &= ~SELECTOR_RPL_MASK;
2035 ss_sel = cs_sel + 8;
2036 ss_sel &= ~SELECTOR_RPL_MASK;
2037 if (ctxt->mode == X86EMUL_MODE_PROT64
2038 || is_long_mode(ctxt->vcpu)) {
2043 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
2044 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
2045 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
2046 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2048 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
2051 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
2052 c->regs[VCPU_REGS_RSP] = msr_data;
2054 return X86EMUL_CONTINUE;
2058 emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2060 struct decode_cache *c = &ctxt->decode;
2061 struct desc_struct cs, ss;
2066 /* inject #GP if in real mode or Virtual 8086 mode */
2067 if (ctxt->mode == X86EMUL_MODE_REAL ||
2068 ctxt->mode == X86EMUL_MODE_VM86) {
2069 emulate_gp(ctxt, 0);
2070 return X86EMUL_PROPAGATE_FAULT;
2073 setup_syscalls_segments(ctxt, ops, &cs, &ss);
2075 if ((c->rex_prefix & 0x8) != 0x0)
2076 usermode = X86EMUL_MODE_PROT64;
2078 usermode = X86EMUL_MODE_PROT32;
2082 ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
2084 case X86EMUL_MODE_PROT32:
2085 cs_sel = (u16)(msr_data + 16);
2086 if ((msr_data & 0xfffc) == 0x0) {
2087 emulate_gp(ctxt, 0);
2088 return X86EMUL_PROPAGATE_FAULT;
2090 ss_sel = (u16)(msr_data + 24);
2092 case X86EMUL_MODE_PROT64:
2093 cs_sel = (u16)(msr_data + 32);
2094 if (msr_data == 0x0) {
2095 emulate_gp(ctxt, 0);
2096 return X86EMUL_PROPAGATE_FAULT;
2098 ss_sel = cs_sel + 8;
2103 cs_sel |= SELECTOR_RPL_MASK;
2104 ss_sel |= SELECTOR_RPL_MASK;
2106 ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
2107 ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
2108 ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
2109 ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
2111 c->eip = c->regs[VCPU_REGS_RDX];
2112 c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
2114 return X86EMUL_CONTINUE;
2117 static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
2118 struct x86_emulate_ops *ops)
2121 if (ctxt->mode == X86EMUL_MODE_REAL)
2123 if (ctxt->mode == X86EMUL_MODE_VM86)
2125 iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
2126 return ops->cpl(ctxt->vcpu) > iopl;
2129 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
2130 struct x86_emulate_ops *ops,
2133 struct desc_struct tr_seg;
2136 u8 perm, bit_idx = port & 0x7;
2137 unsigned mask = (1 << len) - 1;
2139 ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
2142 if (desc_limit_scaled(&tr_seg) < 103)
2144 r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
2146 if (r != X86EMUL_CONTINUE)
2148 if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
2150 r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
2151 &perm, 1, ctxt->vcpu, NULL);
2152 if (r != X86EMUL_CONTINUE)
2154 if ((perm >> bit_idx) & mask)
2159 static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
2160 struct x86_emulate_ops *ops,
2163 if (emulator_bad_iopl(ctxt, ops))
2164 if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
2169 static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
2170 struct x86_emulate_ops *ops,
2171 struct tss_segment_16 *tss)
2173 struct decode_cache *c = &ctxt->decode;
2176 tss->flag = ctxt->eflags;
2177 tss->ax = c->regs[VCPU_REGS_RAX];
2178 tss->cx = c->regs[VCPU_REGS_RCX];
2179 tss->dx = c->regs[VCPU_REGS_RDX];
2180 tss->bx = c->regs[VCPU_REGS_RBX];
2181 tss->sp = c->regs[VCPU_REGS_RSP];
2182 tss->bp = c->regs[VCPU_REGS_RBP];
2183 tss->si = c->regs[VCPU_REGS_RSI];
2184 tss->di = c->regs[VCPU_REGS_RDI];
2186 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2187 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2188 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2189 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2190 tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2193 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
2194 struct x86_emulate_ops *ops,
2195 struct tss_segment_16 *tss)
2197 struct decode_cache *c = &ctxt->decode;
2201 ctxt->eflags = tss->flag | 2;
2202 c->regs[VCPU_REGS_RAX] = tss->ax;
2203 c->regs[VCPU_REGS_RCX] = tss->cx;
2204 c->regs[VCPU_REGS_RDX] = tss->dx;
2205 c->regs[VCPU_REGS_RBX] = tss->bx;
2206 c->regs[VCPU_REGS_RSP] = tss->sp;
2207 c->regs[VCPU_REGS_RBP] = tss->bp;
2208 c->regs[VCPU_REGS_RSI] = tss->si;
2209 c->regs[VCPU_REGS_RDI] = tss->di;
2212 * SDM says that segment selectors are loaded before segment
2215 ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
2216 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2217 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2218 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2219 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2222 * Now load segment descriptors. If fault happenes at this stage
2223 * it is handled in a context of new task
2225 ret = load_segment_descriptor(ctxt, ops, tss->ldt, VCPU_SREG_LDTR);
2226 if (ret != X86EMUL_CONTINUE)
2228 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2229 if (ret != X86EMUL_CONTINUE)
2231 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2232 if (ret != X86EMUL_CONTINUE)
2234 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2235 if (ret != X86EMUL_CONTINUE)
2237 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2238 if (ret != X86EMUL_CONTINUE)
2241 return X86EMUL_CONTINUE;
2244 static int task_switch_16(struct x86_emulate_ctxt *ctxt,
2245 struct x86_emulate_ops *ops,
2246 u16 tss_selector, u16 old_tss_sel,
2247 ulong old_tss_base, struct desc_struct *new_desc)
2249 struct tss_segment_16 tss_seg;
2251 u32 err, new_tss_base = get_desc_base(new_desc);
2253 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2255 if (ret == X86EMUL_PROPAGATE_FAULT) {
2256 /* FIXME: need to provide precise fault address */
2257 emulate_pf(ctxt, old_tss_base, err);
2261 save_state_to_tss16(ctxt, ops, &tss_seg);
2263 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2265 if (ret == X86EMUL_PROPAGATE_FAULT) {
2266 /* FIXME: need to provide precise fault address */
2267 emulate_pf(ctxt, old_tss_base, err);
2271 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2273 if (ret == X86EMUL_PROPAGATE_FAULT) {
2274 /* FIXME: need to provide precise fault address */
2275 emulate_pf(ctxt, new_tss_base, err);
2279 if (old_tss_sel != 0xffff) {
2280 tss_seg.prev_task_link = old_tss_sel;
2282 ret = ops->write_std(new_tss_base,
2283 &tss_seg.prev_task_link,
2284 sizeof tss_seg.prev_task_link,
2286 if (ret == X86EMUL_PROPAGATE_FAULT) {
2287 /* FIXME: need to provide precise fault address */
2288 emulate_pf(ctxt, new_tss_base, err);
2293 return load_state_from_tss16(ctxt, ops, &tss_seg);
2296 static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
2297 struct x86_emulate_ops *ops,
2298 struct tss_segment_32 *tss)
2300 struct decode_cache *c = &ctxt->decode;
2302 tss->cr3 = ops->get_cr(3, ctxt->vcpu);
2304 tss->eflags = ctxt->eflags;
2305 tss->eax = c->regs[VCPU_REGS_RAX];
2306 tss->ecx = c->regs[VCPU_REGS_RCX];
2307 tss->edx = c->regs[VCPU_REGS_RDX];
2308 tss->ebx = c->regs[VCPU_REGS_RBX];
2309 tss->esp = c->regs[VCPU_REGS_RSP];
2310 tss->ebp = c->regs[VCPU_REGS_RBP];
2311 tss->esi = c->regs[VCPU_REGS_RSI];
2312 tss->edi = c->regs[VCPU_REGS_RDI];
2314 tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
2315 tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
2316 tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
2317 tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
2318 tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
2319 tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
2320 tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
2323 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
2324 struct x86_emulate_ops *ops,
2325 struct tss_segment_32 *tss)
2327 struct decode_cache *c = &ctxt->decode;
2330 if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
2331 emulate_gp(ctxt, 0);
2332 return X86EMUL_PROPAGATE_FAULT;
2335 ctxt->eflags = tss->eflags | 2;
2336 c->regs[VCPU_REGS_RAX] = tss->eax;
2337 c->regs[VCPU_REGS_RCX] = tss->ecx;
2338 c->regs[VCPU_REGS_RDX] = tss->edx;
2339 c->regs[VCPU_REGS_RBX] = tss->ebx;
2340 c->regs[VCPU_REGS_RSP] = tss->esp;
2341 c->regs[VCPU_REGS_RBP] = tss->ebp;
2342 c->regs[VCPU_REGS_RSI] = tss->esi;
2343 c->regs[VCPU_REGS_RDI] = tss->edi;
2346 * SDM says that segment selectors are loaded before segment
2349 ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
2350 ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
2351 ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
2352 ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
2353 ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
2354 ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
2355 ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
2358 * Now load segment descriptors. If fault happenes at this stage
2359 * it is handled in a context of new task
2361 ret = load_segment_descriptor(ctxt, ops, tss->ldt_selector, VCPU_SREG_LDTR);
2362 if (ret != X86EMUL_CONTINUE)
2364 ret = load_segment_descriptor(ctxt, ops, tss->es, VCPU_SREG_ES);
2365 if (ret != X86EMUL_CONTINUE)
2367 ret = load_segment_descriptor(ctxt, ops, tss->cs, VCPU_SREG_CS);
2368 if (ret != X86EMUL_CONTINUE)
2370 ret = load_segment_descriptor(ctxt, ops, tss->ss, VCPU_SREG_SS);
2371 if (ret != X86EMUL_CONTINUE)
2373 ret = load_segment_descriptor(ctxt, ops, tss->ds, VCPU_SREG_DS);
2374 if (ret != X86EMUL_CONTINUE)
2376 ret = load_segment_descriptor(ctxt, ops, tss->fs, VCPU_SREG_FS);
2377 if (ret != X86EMUL_CONTINUE)
2379 ret = load_segment_descriptor(ctxt, ops, tss->gs, VCPU_SREG_GS);
2380 if (ret != X86EMUL_CONTINUE)
2383 return X86EMUL_CONTINUE;
2386 static int task_switch_32(struct x86_emulate_ctxt *ctxt,
2387 struct x86_emulate_ops *ops,
2388 u16 tss_selector, u16 old_tss_sel,
2389 ulong old_tss_base, struct desc_struct *new_desc)
2391 struct tss_segment_32 tss_seg;
2393 u32 err, new_tss_base = get_desc_base(new_desc);
2395 ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2397 if (ret == X86EMUL_PROPAGATE_FAULT) {
2398 /* FIXME: need to provide precise fault address */
2399 emulate_pf(ctxt, old_tss_base, err);
2403 save_state_to_tss32(ctxt, ops, &tss_seg);
2405 ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2407 if (ret == X86EMUL_PROPAGATE_FAULT) {
2408 /* FIXME: need to provide precise fault address */
2409 emulate_pf(ctxt, old_tss_base, err);
2413 ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
2415 if (ret == X86EMUL_PROPAGATE_FAULT) {
2416 /* FIXME: need to provide precise fault address */
2417 emulate_pf(ctxt, new_tss_base, err);
2421 if (old_tss_sel != 0xffff) {
2422 tss_seg.prev_task_link = old_tss_sel;
2424 ret = ops->write_std(new_tss_base,
2425 &tss_seg.prev_task_link,
2426 sizeof tss_seg.prev_task_link,
2428 if (ret == X86EMUL_PROPAGATE_FAULT) {
2429 /* FIXME: need to provide precise fault address */
2430 emulate_pf(ctxt, new_tss_base, err);
2435 return load_state_from_tss32(ctxt, ops, &tss_seg);
2438 static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
2439 struct x86_emulate_ops *ops,
2440 u16 tss_selector, int reason,
2441 bool has_error_code, u32 error_code)
2443 struct desc_struct curr_tss_desc, next_tss_desc;
2445 u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
2446 ulong old_tss_base =
2447 ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
2450 /* FIXME: old_tss_base == ~0 ? */
2452 ret = read_segment_descriptor(ctxt, ops, tss_selector, &next_tss_desc);
2453 if (ret != X86EMUL_CONTINUE)
2455 ret = read_segment_descriptor(ctxt, ops, old_tss_sel, &curr_tss_desc);
2456 if (ret != X86EMUL_CONTINUE)
2459 /* FIXME: check that next_tss_desc is tss */
2461 if (reason != TASK_SWITCH_IRET) {
2462 if ((tss_selector & 3) > next_tss_desc.dpl ||
2463 ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
2464 emulate_gp(ctxt, 0);
2465 return X86EMUL_PROPAGATE_FAULT;
2469 desc_limit = desc_limit_scaled(&next_tss_desc);
2470 if (!next_tss_desc.p ||
2471 ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
2472 desc_limit < 0x2b)) {
2473 emulate_ts(ctxt, tss_selector & 0xfffc);
2474 return X86EMUL_PROPAGATE_FAULT;
2477 if (reason == TASK_SWITCH_IRET || reason == TASK_SWITCH_JMP) {
2478 curr_tss_desc.type &= ~(1 << 1); /* clear busy flag */
2479 write_segment_descriptor(ctxt, ops, old_tss_sel,
2483 if (reason == TASK_SWITCH_IRET)
2484 ctxt->eflags = ctxt->eflags & ~X86_EFLAGS_NT;
2486 /* set back link to prev task only if NT bit is set in eflags
2487 note that old_tss_sel is not used afetr this point */
2488 if (reason != TASK_SWITCH_CALL && reason != TASK_SWITCH_GATE)
2489 old_tss_sel = 0xffff;
2491 if (next_tss_desc.type & 8)
2492 ret = task_switch_32(ctxt, ops, tss_selector, old_tss_sel,
2493 old_tss_base, &next_tss_desc);
2495 ret = task_switch_16(ctxt, ops, tss_selector, old_tss_sel,
2496 old_tss_base, &next_tss_desc);
2497 if (ret != X86EMUL_CONTINUE)
2500 if (reason == TASK_SWITCH_CALL || reason == TASK_SWITCH_GATE)
2501 ctxt->eflags = ctxt->eflags | X86_EFLAGS_NT;
2503 if (reason != TASK_SWITCH_IRET) {
2504 next_tss_desc.type |= (1 << 1); /* set busy flag */
2505 write_segment_descriptor(ctxt, ops, tss_selector,
2509 ops->set_cr(0, ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
2510 ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
2511 ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
2513 if (has_error_code) {
2514 struct decode_cache *c = &ctxt->decode;
2516 c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
2518 c->src.val = (unsigned long) error_code;
2519 emulate_push(ctxt, ops);
2525 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
2526 struct x86_emulate_ops *ops,
2527 u16 tss_selector, int reason,
2528 bool has_error_code, u32 error_code)
2530 struct decode_cache *c = &ctxt->decode;
2534 c->dst.type = OP_NONE;
2536 rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
2537 has_error_code, error_code);
2539 if (rc == X86EMUL_CONTINUE) {
2540 rc = writeback(ctxt, ops);
2541 if (rc == X86EMUL_CONTINUE)
2545 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
2548 static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
2549 int reg, struct operand *op)
2551 struct decode_cache *c = &ctxt->decode;
2552 int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
2554 register_address_increment(c, &c->regs[reg], df * op->bytes);
2555 op->ptr = (unsigned long *)register_address(c, base, c->regs[reg]);
2559 x86_emulate_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
2562 struct decode_cache *c = &ctxt->decode;
2563 int rc = X86EMUL_CONTINUE;
2564 int saved_dst_type = c->dst.type;
2566 ctxt->decode.mem_read.pos = 0;
2568 if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
2573 /* LOCK prefix is allowed only with some instructions */
2574 if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
2579 /* Privileged instruction can be executed only in CPL=0 */
2580 if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
2581 emulate_gp(ctxt, 0);
2585 if (c->rep_prefix && (c->d & String)) {
2586 ctxt->restart = true;
2587 /* All REP prefixes have the same first termination condition */
2588 if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
2590 ctxt->restart = false;
2594 /* The second termination condition only applies for REPE
2595 * and REPNE. Test if the repeat string operation prefix is
2596 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
2597 * corresponding termination condition according to:
2598 * - if REPE/REPZ and ZF = 0 then done
2599 * - if REPNE/REPNZ and ZF = 1 then done
2601 if ((c->b == 0xa6) || (c->b == 0xa7) ||
2602 (c->b == 0xae) || (c->b == 0xaf)) {
2603 if ((c->rep_prefix == REPE_PREFIX) &&
2604 ((ctxt->eflags & EFLG_ZF) == 0))
2606 if ((c->rep_prefix == REPNE_PREFIX) &&
2607 ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
2613 if (c->src.type == OP_MEM) {
2614 rc = read_emulated(ctxt, ops, (unsigned long)c->src.ptr,
2615 c->src.valptr, c->src.bytes);
2616 if (rc != X86EMUL_CONTINUE)
2618 c->src.orig_val64 = c->src.val64;
2621 if (c->src2.type == OP_MEM) {
2622 rc = read_emulated(ctxt, ops, (unsigned long)c->src2.ptr,
2623 &c->src2.val, c->src2.bytes);
2624 if (rc != X86EMUL_CONTINUE)
2628 if ((c->d & DstMask) == ImplicitOps)
2632 if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
2633 /* optimisation - avoid slow emulated read if Mov */
2634 rc = read_emulated(ctxt, ops, (unsigned long)c->dst.ptr,
2635 &c->dst.val, c->dst.bytes);
2636 if (rc != X86EMUL_CONTINUE)
2639 c->dst.orig_val = c->dst.val;
2649 emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
2651 case 0x06: /* push es */
2652 emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
2654 case 0x07: /* pop es */
2655 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
2656 if (rc != X86EMUL_CONTINUE)
2661 emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
2663 case 0x0e: /* push cs */
2664 emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
2668 emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
2670 case 0x16: /* push ss */
2671 emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
2673 case 0x17: /* pop ss */
2674 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
2675 if (rc != X86EMUL_CONTINUE)
2680 emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
2682 case 0x1e: /* push ds */
2683 emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
2685 case 0x1f: /* pop ds */
2686 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
2687 if (rc != X86EMUL_CONTINUE)
2692 emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
2696 emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
2700 emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
2704 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
2706 case 0x40 ... 0x47: /* inc r16/r32 */
2707 emulate_1op("inc", c->dst, ctxt->eflags);
2709 case 0x48 ... 0x4f: /* dec r16/r32 */
2710 emulate_1op("dec", c->dst, ctxt->eflags);
2712 case 0x50 ... 0x57: /* push reg */
2713 emulate_push(ctxt, ops);
2715 case 0x58 ... 0x5f: /* pop reg */
2717 rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
2718 if (rc != X86EMUL_CONTINUE)
2721 case 0x60: /* pusha */
2722 rc = emulate_pusha(ctxt, ops);
2723 if (rc != X86EMUL_CONTINUE)
2726 case 0x61: /* popa */
2727 rc = emulate_popa(ctxt, ops);
2728 if (rc != X86EMUL_CONTINUE)
2731 case 0x63: /* movsxd */
2732 if (ctxt->mode != X86EMUL_MODE_PROT64)
2733 goto cannot_emulate;
2734 c->dst.val = (s32) c->src.val;
2736 case 0x68: /* push imm */
2737 case 0x6a: /* push imm8 */
2738 emulate_push(ctxt, ops);
2740 case 0x6c: /* insb */
2741 case 0x6d: /* insw/insd */
2742 c->dst.bytes = min(c->dst.bytes, 4u);
2743 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2745 emulate_gp(ctxt, 0);
2748 if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
2749 c->regs[VCPU_REGS_RDX], &c->dst.val))
2750 goto done; /* IO is needed, skip writeback */
2752 case 0x6e: /* outsb */
2753 case 0x6f: /* outsw/outsd */
2754 c->src.bytes = min(c->src.bytes, 4u);
2755 if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
2757 emulate_gp(ctxt, 0);
2760 ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
2761 &c->src.val, 1, ctxt->vcpu);
2763 c->dst.type = OP_NONE; /* nothing to writeback */
2765 case 0x70 ... 0x7f: /* jcc (short) */
2766 if (test_cc(c->b, ctxt->eflags))
2767 jmp_rel(c, c->src.val);
2769 case 0x80 ... 0x83: /* Grp1 */
2770 switch (c->modrm_reg) {
2791 emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
2793 case 0x86 ... 0x87: /* xchg */
2795 /* Write back the register source. */
2796 switch (c->dst.bytes) {
2798 *(u8 *) c->src.ptr = (u8) c->dst.val;
2801 *(u16 *) c->src.ptr = (u16) c->dst.val;
2804 *c->src.ptr = (u32) c->dst.val;
2805 break; /* 64b reg: zero-extend */
2807 *c->src.ptr = c->dst.val;
2811 * Write back the memory destination with implicit LOCK
2814 c->dst.val = c->src.val;
2817 case 0x88 ... 0x8b: /* mov */
2819 case 0x8c: /* mov r/m, sreg */
2820 if (c->modrm_reg > VCPU_SREG_GS) {
2824 c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
2826 case 0x8d: /* lea r16/r32, m */
2827 c->dst.val = c->modrm_ea;
2829 case 0x8e: { /* mov seg, r/m16 */
2834 if (c->modrm_reg == VCPU_SREG_CS ||
2835 c->modrm_reg > VCPU_SREG_GS) {
2840 if (c->modrm_reg == VCPU_SREG_SS)
2841 ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
2843 rc = load_segment_descriptor(ctxt, ops, sel, c->modrm_reg);
2845 c->dst.type = OP_NONE; /* Disable writeback. */
2848 case 0x8f: /* pop (sole member of Grp1a) */
2849 rc = emulate_grp1a(ctxt, ops);
2850 if (rc != X86EMUL_CONTINUE)
2853 case 0x90: /* nop / xchg r8,rax */
2854 if (c->dst.ptr == (unsigned long *)&c->regs[VCPU_REGS_RAX]) {
2855 c->dst.type = OP_NONE; /* nop */
2858 case 0x91 ... 0x97: /* xchg reg,rax */
2859 c->src.type = OP_REG;
2860 c->src.bytes = c->op_bytes;
2861 c->src.ptr = (unsigned long *) &c->regs[VCPU_REGS_RAX];
2862 c->src.val = *(c->src.ptr);
2864 case 0x9c: /* pushf */
2865 c->src.val = (unsigned long) ctxt->eflags;
2866 emulate_push(ctxt, ops);
2868 case 0x9d: /* popf */
2869 c->dst.type = OP_REG;
2870 c->dst.ptr = (unsigned long *) &ctxt->eflags;
2871 c->dst.bytes = c->op_bytes;
2872 rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
2873 if (rc != X86EMUL_CONTINUE)
2876 case 0xa0 ... 0xa3: /* mov */
2877 case 0xa4 ... 0xa5: /* movs */
2879 case 0xa6 ... 0xa7: /* cmps */
2880 c->dst.type = OP_NONE; /* Disable writeback. */
2881 DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
2883 case 0xa8 ... 0xa9: /* test ax, imm */
2885 case 0xaa ... 0xab: /* stos */
2886 c->dst.val = c->regs[VCPU_REGS_RAX];
2888 case 0xac ... 0xad: /* lods */
2890 case 0xae ... 0xaf: /* scas */
2891 DPRINTF("Urk! I don't handle SCAS.\n");
2892 goto cannot_emulate;
2893 case 0xb0 ... 0xbf: /* mov r, imm */
2898 case 0xc3: /* ret */
2899 c->dst.type = OP_REG;
2900 c->dst.ptr = &c->eip;
2901 c->dst.bytes = c->op_bytes;
2902 goto pop_instruction;
2903 case 0xc6 ... 0xc7: /* mov (sole member of Grp11) */
2905 c->dst.val = c->src.val;
2907 case 0xcb: /* ret far */
2908 rc = emulate_ret_far(ctxt, ops);
2909 if (rc != X86EMUL_CONTINUE)
2912 case 0xd0 ... 0xd1: /* Grp2 */
2916 case 0xd2 ... 0xd3: /* Grp2 */
2917 c->src.val = c->regs[VCPU_REGS_RCX];
2920 case 0xe4: /* inb */
2923 case 0xe6: /* outb */
2924 case 0xe7: /* out */
2926 case 0xe8: /* call (near) */ {
2927 long int rel = c->src.val;
2928 c->src.val = (unsigned long) c->eip;
2930 emulate_push(ctxt, ops);
2933 case 0xe9: /* jmp rel */
2935 case 0xea: { /* jmp far */
2938 memcpy(&sel, c->src.valptr + c->op_bytes, 2);
2940 if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
2944 memcpy(&c->eip, c->src.valptr, c->op_bytes);
2948 jmp: /* jmp rel short */
2949 jmp_rel(c, c->src.val);
2950 c->dst.type = OP_NONE; /* Disable writeback. */
2952 case 0xec: /* in al,dx */
2953 case 0xed: /* in (e/r)ax,dx */
2954 c->src.val = c->regs[VCPU_REGS_RDX];
2956 c->dst.bytes = min(c->dst.bytes, 4u);
2957 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2958 emulate_gp(ctxt, 0);
2961 if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
2963 goto done; /* IO is needed */
2965 case 0xee: /* out dx,al */
2966 case 0xef: /* out dx,(e/r)ax */
2967 c->src.val = c->regs[VCPU_REGS_RDX];
2969 c->dst.bytes = min(c->dst.bytes, 4u);
2970 if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
2971 emulate_gp(ctxt, 0);
2974 ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
2976 c->dst.type = OP_NONE; /* Disable writeback. */
2978 case 0xf4: /* hlt */
2979 ctxt->vcpu->arch.halt_request = 1;
2981 case 0xf5: /* cmc */
2982 /* complement carry flag from eflags reg */
2983 ctxt->eflags ^= EFLG_CF;
2984 c->dst.type = OP_NONE; /* Disable writeback. */
2986 case 0xf6 ... 0xf7: /* Grp3 */
2987 if (!emulate_grp3(ctxt, ops))
2988 goto cannot_emulate;
2990 case 0xf8: /* clc */
2991 ctxt->eflags &= ~EFLG_CF;
2992 c->dst.type = OP_NONE; /* Disable writeback. */
2994 case 0xfa: /* cli */
2995 if (emulator_bad_iopl(ctxt, ops)) {
2996 emulate_gp(ctxt, 0);
2999 ctxt->eflags &= ~X86_EFLAGS_IF;
3000 c->dst.type = OP_NONE; /* Disable writeback. */
3003 case 0xfb: /* sti */
3004 if (emulator_bad_iopl(ctxt, ops)) {
3005 emulate_gp(ctxt, 0);
3008 ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
3009 ctxt->eflags |= X86_EFLAGS_IF;
3010 c->dst.type = OP_NONE; /* Disable writeback. */
3013 case 0xfc: /* cld */
3014 ctxt->eflags &= ~EFLG_DF;
3015 c->dst.type = OP_NONE; /* Disable writeback. */
3017 case 0xfd: /* std */
3018 ctxt->eflags |= EFLG_DF;
3019 c->dst.type = OP_NONE; /* Disable writeback. */
3021 case 0xfe: /* Grp4 */
3023 rc = emulate_grp45(ctxt, ops);
3024 if (rc != X86EMUL_CONTINUE)
3027 case 0xff: /* Grp5 */
3028 if (c->modrm_reg == 5)
3034 rc = writeback(ctxt, ops);
3035 if (rc != X86EMUL_CONTINUE)
3039 * restore dst type in case the decoding will be reused
3040 * (happens for string instruction )
3042 c->dst.type = saved_dst_type;
3044 if ((c->d & SrcMask) == SrcSI)
3045 string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
3046 VCPU_REGS_RSI, &c->src);
3048 if ((c->d & DstMask) == DstDI)
3049 string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
3052 if (c->rep_prefix && (c->d & String)) {
3053 struct read_cache *rc = &ctxt->decode.io_read;
3054 register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
3056 * Re-enter guest when pio read ahead buffer is empty or,
3057 * if it is not used, after each 1024 iteration.
3059 if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
3060 (rc->end != 0 && rc->end == rc->pos))
3061 ctxt->restart = false;
3064 * reset read cache here in case string instruction is restared
3067 ctxt->decode.mem_read.end = 0;
3071 return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
3075 case 0x01: /* lgdt, lidt, lmsw */
3076 switch (c->modrm_reg) {
3078 unsigned long address;
3080 case 0: /* vmcall */
3081 if (c->modrm_mod != 3 || c->modrm_rm != 1)
3082 goto cannot_emulate;
3084 rc = kvm_fix_hypercall(ctxt->vcpu);
3085 if (rc != X86EMUL_CONTINUE)
3088 /* Let the processor re-execute the fixed hypercall */
3090 /* Disable writeback. */
3091 c->dst.type = OP_NONE;
3094 rc = read_descriptor(ctxt, ops, c->src.ptr,
3095 &size, &address, c->op_bytes);
3096 if (rc != X86EMUL_CONTINUE)
3098 realmode_lgdt(ctxt->vcpu, size, address);
3099 /* Disable writeback. */
3100 c->dst.type = OP_NONE;
3102 case 3: /* lidt/vmmcall */
3103 if (c->modrm_mod == 3) {
3104 switch (c->modrm_rm) {
3106 rc = kvm_fix_hypercall(ctxt->vcpu);
3107 if (rc != X86EMUL_CONTINUE)
3111 goto cannot_emulate;
3114 rc = read_descriptor(ctxt, ops, c->src.ptr,
3117 if (rc != X86EMUL_CONTINUE)
3119 realmode_lidt(ctxt->vcpu, size, address);
3121 /* Disable writeback. */
3122 c->dst.type = OP_NONE;
3126 c->dst.val = ops->get_cr(0, ctxt->vcpu);
3129 ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0ful) |
3130 (c->src.val & 0x0f), ctxt->vcpu);
3131 c->dst.type = OP_NONE;
3133 case 5: /* not defined */
3137 emulate_invlpg(ctxt->vcpu, c->modrm_ea);
3138 /* Disable writeback. */
3139 c->dst.type = OP_NONE;
3142 goto cannot_emulate;
3145 case 0x05: /* syscall */
3146 rc = emulate_syscall(ctxt, ops);
3147 if (rc != X86EMUL_CONTINUE)
3153 emulate_clts(ctxt->vcpu);
3154 c->dst.type = OP_NONE;
3156 case 0x09: /* wbinvd */
3157 kvm_emulate_wbinvd(ctxt->vcpu);
3158 c->dst.type = OP_NONE;
3160 case 0x08: /* invd */
3161 case 0x0d: /* GrpP (prefetch) */
3162 case 0x18: /* Grp16 (prefetch/nop) */
3163 c->dst.type = OP_NONE;
3165 case 0x20: /* mov cr, reg */
3166 switch (c->modrm_reg) {
3173 c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
3174 c->dst.type = OP_NONE; /* no writeback */
3176 case 0x21: /* mov from dr to reg */
3177 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3178 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3182 ops->get_dr(c->modrm_reg, &c->regs[c->modrm_rm], ctxt->vcpu);
3183 c->dst.type = OP_NONE; /* no writeback */
3185 case 0x22: /* mov reg, cr */
3186 if (ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu)) {
3187 emulate_gp(ctxt, 0);
3190 c->dst.type = OP_NONE;
3192 case 0x23: /* mov from reg to dr */
3193 if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
3194 (c->modrm_reg == 4 || c->modrm_reg == 5)) {
3199 if (ops->set_dr(c->modrm_reg, c->regs[c->modrm_rm] &
3200 ((ctxt->mode == X86EMUL_MODE_PROT64) ?
3201 ~0ULL : ~0U), ctxt->vcpu) < 0) {
3202 /* #UD condition is already handled by the code above */
3203 emulate_gp(ctxt, 0);
3207 c->dst.type = OP_NONE; /* no writeback */
3211 msr_data = (u32)c->regs[VCPU_REGS_RAX]
3212 | ((u64)c->regs[VCPU_REGS_RDX] << 32);
3213 if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
3214 emulate_gp(ctxt, 0);
3217 rc = X86EMUL_CONTINUE;
3218 c->dst.type = OP_NONE;
3222 if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
3223 emulate_gp(ctxt, 0);
3226 c->regs[VCPU_REGS_RAX] = (u32)msr_data;
3227 c->regs[VCPU_REGS_RDX] = msr_data >> 32;
3229 rc = X86EMUL_CONTINUE;
3230 c->dst.type = OP_NONE;
3232 case 0x34: /* sysenter */
3233 rc = emulate_sysenter(ctxt, ops);
3234 if (rc != X86EMUL_CONTINUE)
3239 case 0x35: /* sysexit */
3240 rc = emulate_sysexit(ctxt, ops);
3241 if (rc != X86EMUL_CONTINUE)
3246 case 0x40 ... 0x4f: /* cmov */
3247 c->dst.val = c->dst.orig_val = c->src.val;
3248 if (!test_cc(c->b, ctxt->eflags))
3249 c->dst.type = OP_NONE; /* no writeback */
3251 case 0x80 ... 0x8f: /* jnz rel, etc*/
3252 if (test_cc(c->b, ctxt->eflags))
3253 jmp_rel(c, c->src.val);
3254 c->dst.type = OP_NONE;
3256 case 0xa0: /* push fs */
3257 emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
3259 case 0xa1: /* pop fs */
3260 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
3261 if (rc != X86EMUL_CONTINUE)
3266 c->dst.type = OP_NONE;
3267 /* only subword offset */
3268 c->src.val &= (c->dst.bytes << 3) - 1;
3269 emulate_2op_SrcV_nobyte("bt", c->src, c->dst, ctxt->eflags);
3271 case 0xa4: /* shld imm8, r, r/m */
3272 case 0xa5: /* shld cl, r, r/m */
3273 emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
3275 case 0xa8: /* push gs */
3276 emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
3278 case 0xa9: /* pop gs */
3279 rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
3280 if (rc != X86EMUL_CONTINUE)
3285 /* only subword offset */
3286 c->src.val &= (c->dst.bytes << 3) - 1;
3287 emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
3289 case 0xac: /* shrd imm8, r, r/m */
3290 case 0xad: /* shrd cl, r, r/m */
3291 emulate_2op_cl("shrd", c->src2, c->src, c->dst, ctxt->eflags);
3293 case 0xae: /* clflush */
3295 case 0xb0 ... 0xb1: /* cmpxchg */
3297 * Save real source value, then compare EAX against
3300 c->src.orig_val = c->src.val;
3301 c->src.val = c->regs[VCPU_REGS_RAX];
3302 emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
3303 if (ctxt->eflags & EFLG_ZF) {
3304 /* Success: write back to memory. */
3305 c->dst.val = c->src.orig_val;
3307 /* Failure: write the value we saw to EAX. */
3308 c->dst.type = OP_REG;
3309 c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
3314 /* only subword offset */
3315 c->src.val &= (c->dst.bytes << 3) - 1;
3316 emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
3318 case 0xb6 ... 0xb7: /* movzx */
3319 c->dst.bytes = c->op_bytes;
3320 c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
3323 case 0xba: /* Grp8 */
3324 switch (c->modrm_reg & 3) {
3337 /* only subword offset */
3338 c->src.val &= (c->dst.bytes << 3) - 1;
3339 emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
3341 case 0xbe ... 0xbf: /* movsx */
3342 c->dst.bytes = c->op_bytes;
3343 c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
3346 case 0xc3: /* movnti */
3347 c->dst.bytes = c->op_bytes;
3348 c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
3351 case 0xc7: /* Grp9 (cmpxchg8b) */
3352 rc = emulate_grp9(ctxt, ops);
3353 if (rc != X86EMUL_CONTINUE)
3360 DPRINTF("Cannot emulate %02x\n", c->b);
projects / linux.git / blob